Able to remove profile without the need for a password

I also found that as teachers were trying to save themselves time they did backup/restores which removed MDM profiles. Which caused more work for them in the end because I then asked them to re-register with the MDM. Whether they did that or not I don't know. I don't have the time or energy to verify that they've done that.

I also found the naming of devices very problematic. I had named all devices based on barcode (since the barcode is covered once you put a case on) and they have sinced named them "UserName iPad 1", "UserName iPad 2", etc. That means nothing to me people! My brain works in barcodes.

I cautioned against going with Casper in the beginning because I wanted to test a free product first to see if it would meet my needs. While it's disappointing that the paid services can also be easily removed, it's nice that you chimed in and I can show this post to the powers-that-be when they ask to ramp this program up or look at buying Casper.

If you read this reply, would you be able to let me know if Casper does push-install of Apps or if it does push-suggestions? What I mean is does it install without user interaction or does the user still have to agree to install and then type in Apple ID password?

Hi, I thought I'd put my two cents in as well. We have about 40 iPads set up for student use and we use profile manager on an OSX Server, I have come up against all the restrictions that you're discussing and the only solution we have found is that there is no solution...Yet. It's up to apple to change the spec of the xml profiles so that they include additional features.

Because it's an apple limitation all MDM solutions are basically exactly the same, however there do seem to be a few small differences like Meraki's ability to alert you of profile deletion, and also the ability of a lot of 3rd party MDM's to support other platforms like Windows and Android.

In our IT department we're currently upgrading SCCM to 2012 sp1 so that we can use the mdm features and although I don't know much about it yet we're looking at Windows Intune to give us the cloud based interface and tie it all in together with our existing network.

Hi,

I have more than 1000 device and student are deleting the profiles in the same way , Apple has to think logical by enable the MDM profiles to be protected in order to keep ios in the leading of educational sector.

On Air Watch you may apply the configuration to use disblinary action in case of student remove the profile .

by just enroll the device and apply un-managed profiles with opassword restrcition then remove the mdm profile , un-managed profile will stay and take the contorl.

Thanks

I'm reposting my experience on this thread as well. I am able to lock the Device Management profile, maybe this is a new change, but heres how it works:

It is possible. I just ran into this myself. The key is in understanding the difference between Supervised and unsupervised devices. Only supervised devices can be locked to an organizations profile manager. Devices are considered supervised when they are purchased by a company with a business account and account manager from apple.

If the device is supervised there are now additional settings you can adjust. You can also create device groups. Any device purchased from apple without a business account, or from anywhere else, is considered to be an unsupervised device. You can still add it to profile manager and control a lot, but the end user will be able to remove the Management Profile, and thereby all other profiles rolled out on the device or user level.

When you purchase from the apple business store, your account manager will set up a list of the devices.

You log into the Apple Deployment site and enter your order number.

All your new devices are auto ported into your profile manager.

At that point you can set them to device groups

set device groups settings

then when turn them on they will force you to login, register, etc etc.

After that you can layer on device and/or user profiles on top of your group profile.

There is no such thing as real MDM on an iOS device so might as well save the money. The profile can be removed just like that so that invalidates whatever fancy MDM you load LOL not to mention the erase; the iOS recovery and those are just the easy low end user initiated steps that will break any MDM in 10 seconds.

The high end user ways to disable MDM are outside the scope of this disussion and hey if the door is unlocked anyway why look for a key 🙂

Great work Apple; stick it to the enterprise community yet again

Please note that you can switch any iOS device to "supervised" mode by using the Apple Configurator (which is available for free by Apple). It's easy but it will wipe your device. In this case you have full control and a real MDM as requested.

Use Apple's Device Enrollment Program, supervise the devices, and lock the MDM profile. The MDM profile can't be removed and even if the device is wiped, it will force the device to enroll into the MDM. https://www.apple.com/education/it/dep/

s_eilers wrote:

Please note that you can switch any iOS device to "supervised" mode by using the Apple Configurator (which is available for free by Apple). It's easy but it will wipe your device. In this case you have full control and a real MDM as requested.

Wrong, I was able to delete the MDM profile off of our iPad even though it was in "supervised" mode. So yeah, this is just wrong.

From what I can tell, MDM is useless. People can just manually delete the profile even if you set it up with a password. I wasted a whole day getting the extremely buggy OS X Server app to finally get profiles flowing to devices, and then I find out they can just be simply deleted because the password protection feature flat out doesn't work at all! Wow thanks Apple.

Two full years after this problem was first seen, it still exists. Shows how much they actually care, right? I guess they were too busy removing the useful 3.5mm audio port from the iPhone to bother fixing show-stopper bugs in MDM.

We use AirWatch. You can set up app black lists and create app catalogs, but the profile deletion is still an issue. I've talked with many Apple reps and it doesn't look like they're interested in changing it.

I've found that Apple is very consumer-centric, and NOT corporate/government-centric AT ALL. My issues with them have been the central management of Apple ID's. At this agency I manage about 500 iDevices. At my last agency I managed about 1500. It seems that any time I call Apple, for any reason, they are less than helpful. :-(